Nat Pass and PF Default Rule
Daniel Hartmeier
daniel at benzedrine.cx
Fri Nov 16 06:49:38 PST 2007
On Fri, Nov 16, 2007 at 04:30:17PM +0200, N. Ersen SISECI wrote:
> I wrote some scripts for adding or removing rules to the current ruleset.
> If there is a syntax error or something is wrong in new rule set, pf
> will not load rules and default rule
> will effect the new connections. Default pass rule will pass everything.
> And sometimes i can not notice this. If the default rule is block, i
> will notice this situation.
No, if loading the ruleset fails, the previous ruleset will remain
active. It won't fall back to the empty ruleset. That is, unless you
superfluously use -F, too (don't!).
Changing the default rule breaks more things than you imagine. It's used
for various things (like assignment of pfsync'd states). The breakage
will be broad and subtle, I'd advise against it ;)
Daniel
More information about the freebsd-pf
mailing list